Credit Card Numbers Considered Harmful

The PCI standard goes to great lengths to protect Personal Account Numbers (PANs), the numbers on our credit cards.  And if you are breached and PAN data stolen, the credit card companies can fine you.  They can also require you to implement better security.  This is a problem for both small and large business.

If you are a small business, the fines and costs of higher security can put you out of business.  Just paying for forensic investigators can run into tens of thousands of dollars.  Fines and higher levels of compliance can take you to a hundred thousand dollars.  Since small businesses typically don’t have great levels of security, this is a real risk for the small guy.  How do you deal with that?

One simple approach is to treat PANs as if they were a toxic substance that you never want in your environment.  Don’t store them.  If you get breached, your PAN data is a treasure trove for the hackers, and you’ll pay the price in fines.  But if you must store them, use tokenization with the real credit card data stored offsite to limit the impact of the breach.

Use point to point encryption (P2PE) on your POS terminals.  With P2PE, unencrypted card data never enters you POS, systems, or network.  It is encrypted by the reader, and stays encrypted until it reaches the payment processor.  If someone breaches your POS systems, they won’t be able to scrape any PANs.

Are P2PE card reader solutions more expensive than their non-encrypting cousins?  You bet.  Consider the extra cost an insurance policy against disastrous fines.

If you follow these suggestions, does that mean that you can skimp on security?  No.  You still have to be PCI compliant.  Beyond that, you still need to do your best to make your systems secure.  But P2PE and tokenization can go along way in securing your PAN data, and limiting your exposure.